[katello-devel] Rails SQL vunerability

David Davis daviddavis at redhat.com
Thu Jan 3 01:03:21 UTC 2013


The Rails Core Team has found a SQL vulnerability and patched it. It affects all versions of Rails.

https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM

I looked through our codebase though and couldn't find any place that would be vulnerable. Here's an example of the vulnerability:

user_input = {:limit => 1}
User.find_by_id(user_input) # produces "SELECT * FROM users ... LIMIT 1"

Note that the actual case that produces the vulnerability is really small as it requires a hash to be passed to a dynamic finder. Using params which is a HashWithIndifferentAccess and also any hash in params (as they are also HWIAs) will just throw an exception:

user_input = {:limit => 1}.with_indifferent_access
User.find_by_id(user_input) # ArgumentError: Unknown key(s): limit

David




More information about the katello-devel mailing list